Can I bridge a cisco router off to a linux server?

We have a scenario where we must "bridge" a cisco router to the linux server on the LAN as we want the linux server to get the public IP. The thing is, we like the debugging tool on the cisco router when it comes to PPOE/PPOA connections with the ISP (yes our ISP still uses username and passwords).

The problem is, of course, that using the PPOE command on the router means that the dialer interface gets the CPE address from the ISP, that means that I cant use those public addresses on the connecting port of the linux server.

Is there a way of connecting to the ISP on cisco router with PPOE and still bridge the router so that the linux server uses the CPE address?

Or must I essentially turn the linux into a DMZ zone on a different public subnet and use the CPE as a firewall?

I don't think it is possible.
If you have static IP (usually it is DHCP negotiated, but some ISP allow reserving static IP ) and more than one public address you can make static NAT on a router for Linux server.
Other option is to use dynamic NAT and port forward for services on Linux machine you want to be visible outside.

Static NAT maps public IP to LAN IP so every packet is routed to that NIC. You give your server private address nad map it to you public dialer address. As Fidelius said with static NAT you need more than one public IP as your Linux server will consume the first one. It will have internet access and it will be seen from the internet. The catch is that no one else will be able to access internet as there is no adresses left to do PAT.

Can you get your isp to allocate you more than one IP when you login?
Many ISP's will do that for you and you can then easily create a no-nat config by using an unnumbered link to the isp.

For example, you configure your 1st ip on the inside ethernet of the router.
Then configure the dialer interface to be unnumbered (eg ip address unnumbered eth0)
The linux server then takes one of the other addresses that you've been allocated from the same subnet.

I think the only other alternative is to do a 1:1 nat on the cisco, which for most applications will give you the same result that you're looking for. Also easy to set up:

piwowarc: you said the following "You give your server private address nad map it to you public dialer address. As Fidelius said with static NAT you need more than one public IP as your Linux server will consume the first one", if I map the private address to the public address and enable NAT on the linux server via iptables (remember my client will sit BEHIND the linux server), wont that be able to NAT all the LAN ip address behind the linux server to the "mapped" pub IP? Or am I totally confused?

eg, my router IP is 203.111.1.1 on the dialer interface----> 10.10.10.1/24 is by vlan1 interface IP -----> connects directly to eth0 dev on linux server 10.10.10.3/24 -------> eth1 is 172.16.0.0/25 and all devices sit behind the eth1 and have the 172.16.0.0/25 subnet

Doesnt this mean that all PRIVATE ip's of 172.16.0.0/25 will NAT overload onto the 10.10.10.3 IP, and since that is mapped to the DIALER interface on the router (which happens to be PUBLIC), can't that route out to the internet?

FYI, I have tested this and it doesnt work so my logic is obviously flawed. Sorry having a hard time understanding.

Hey guys, please scratch what I wrote above, I just got more 'details' on what is needed.

Okay, because of the need to provide "conferencing" capabilities, which means that vendors like Hp, Dell etc do at this site, they "require" an unconditional amount of public ip addresses that can be reached from outside and inside users to connect to electronic hosting demo's, like IP phones, or electronic whiteboards, whatever, so I had ordered additional IP addresses from the ISP.

Is the consensus here is that all I need to do is do a 1:1 static nat from each internal device to the unique public address? Is that is all that is required? And in doing so, will internal LAN ips be routable to this address also?

If you have plenty of public ip addresses then you don't really need nat at all.
If they're all in the same subnet, then the unnumbered solution I gave you will work well.
If they're a routed subnet provided by the ISP, just use one of them for the router's inside address,and use the ppp provided one for the outside.

Also, I cant just map every internal private ip to a public ip, only clients that request it. We are working on a system that gives out a public depending on approved mac addresses, so it can only be for specific devices, not every device in the private network.

If you need nat, you can combine nat and pat on different public ip addresses easily.
That was the second half of my earlier solution. Just substitute different inside and outside addresses in the nat statement. You can still overload the dialer (or any other of your addresses) for pat.

Ppp is the "ppp" part of pppoa or pppoe that you mentioned in your first statement.
Perhaps you're making the solution more complicated than you need to.
Does the Linux server also do nat? IE are you using it as another router/firewall?

I don't know of a way that you could allocate a public ip based on Mac address in the cisco world, so presumably you're doing this on the linux gateway.

In which case, your best option is no nat at all on the cisco. If the pool of public ip addresses you have been given is in the subnet of the router address allocated when you login, use the unnumbered solution. You would then do all the pat and nat on the Linux server.

I think maybe we need a very simple overview/diagram to understand the connectivity between the internal clients, the Linux server, the cisco router, and the Internet.

Hi Mike, thank you for your patience, I will upload a diagram of the infrastructure tomorrow and what we need, if you could take a quick glance and offer your opinion, that would be enough and I will just test it next week when I return to the office.

Network diagram will definitely help to clarify situation.
As PSLmike said earlier, if you have more than one public IP address it is very easy to solve a problem with one static NAT statement for Linux server and PAT statement for all other IP's.

Ok, sorry for the crudeness but Ive had to rush it as I have little time. The attachment is a (very rough) diagram.

We have a cisco router, 10.100.23.0/24 is the management subnet.
This connects to a managed switch that connects to the linux server which acts as a Wifi hotspot service, this currently has NAT enabled, which means clients (laptops) that connect to the wifi from their SSID network get Natted twice.

What I need to do is, have a way I can place a laptop or some other device behind the linux server which can be given a Public IP address and be able to be routable from the outside world and be able to route outside.

If you need only one laptop to be routable, and you have more than one public IP address, it is not a problem. You need only two static NAT statements, one on Cisco and one on Linux server, and laptop IP should be static, not DHCP.

If you want more than one, you need multiple statements as above, and public IP for every host. In other words all has to be static.
No inside host can be routable from outside, if you use PAT or DHCP (without reservation).

Thus my dilemma! Without doing some sort of DMZ, (which I can not do as clients will sit behind a device and port that is NATted), how can I give the laptops a public IP and expects the outside world to be able to route to it?

Featured Post

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…